[Oisf-users] Question about thresholds

Carlos Lopez clopmz at outlook.com
Tue Oct 2 13:49:32 UTC 2018

Thanks Michal .. And is it possible to disable all alerts from a specific IP address? for example:

suppress gen_id 0, sig_id 0, track by_src, ip

C. L. Martinez
From: Michał Purzyński <michalpurzynski1 at gmail.com>
Sent: 02 October 2018 13:39
To: Carlos Lopez
Cc: Open Information Security Foundation
Subject: Re: [Oisf-users] Question about thresholds

A real world example that seems to work here

suppress gen_id 1, sig_id 2002027, track by_dst, ip [,,2620:1111:1111:1111::/64<http:"" 24,"" 24,2620:1111:1111:1111::="" 64="">]

On Tue, Oct 2, 2018 at 1:18 PM Carlos Lopez <clopmz at outlook.com<mailto:clopmz at outlook.com>> wrote:
Hi all,

 Maybe it is a stupid question, but is it not possible to configure a CIDR network to supress some alerts via threshold.conf?, for example:

suppress gen_id 1, sig_id 2101201, track by_src, ip<http:"" 24="">

 If not, what can be the best strategy to accomplish this?

C. L. Martinez
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
</mailto:oisf-users at openinfosecfoundation.org></http:></clopmz at outlook.com<mailto:clopmz at outlook.com></http:></michalpurzynski1 at gmail.com>

More information about the Oisf-users mailing list